The MANIFEST of jasperreports.jar of release 6.7.0 contains incorrect version number "6.6.0". Unfortunately it even more confusing because this version number is used in the "creator" field of the resulting export file (PDF etc.).

https://github.com/Jaspersoft/jasperreports/blob/master/jasperreports/src/net/sf/jasperreports/engine/export/draw/PrintDrawVisitor.java all the visit methods are duplicated code that can be refactored to a single method call that iterates over a single List that contains the following instance variables:

private final LineDrawer lineDrawer;
private final RectangleDrawer rectangleDrawer;
private final EllipseDrawer ellipseDrawer;
private final ImageDrawer imageDrawer;

A List of their common super interfaces would be more generic, leading the way to allowing third-party additions (e.g., a rectangle with drop-shadow).

When two nested lists are created (say, L1 and L11), in JasperStudio's L11 dataset run it was possible and worked (6.2) to return values to the main's report variables. In fact it was the only way, as it cannot return values to L1's variable.

Now with JasperReports 6.8 library this usage is not compiling, saying the variable does not exists.

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

• poi-4.0.1.jar (Root Library)
  • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

Dear All,

We are facing an infinite loop issue upon trying to retrieve a report having a field of type date in the header band of the report where the size of this element is less than the size of its data content, in case we will increase the size of this input the report will be generated properly
This issue is appearing under all jasperSoft releases ( release 6.4.0 and lower)
Is it possible to fix it through the code of jasper instead of fixing it manually, we are working currently on the libraries jasperreports-javaflow-5.5.0.jar and jasperreports-javaflow-6.1.1.jar
Below is the related jrxml , you can test it under any oracle DB , the problematic field in the header is 'DATE_CREATED'

I apologize if I shouldn't be opening a new issue, but I would like to see the templating feature in JrXlsExporter extended to JrXlsXExporter, in other words supports of Templates in the XLSX Format.
Maybe the JrXlsExporter could be updated to use the generic POI Model SS API supporting both XLS and XLSX using the same model classes. I'd happily assist a Developper in this, and test the solution as well.
Thanks in advance

Hello,
do you think it is possible to upgrade lucene to newer version (7.x.x)? Current version (4.5.1) is really old.

Thanks.

Please create a overload method fill() with a adicitional parameter FillListener.

Something like this:

	public static JasperPrint fill(JasperReportsContext jasperReportsContext, JasperReport jasperReport,
			Map<String, Object> parameters, Connection connection, FillListener fillListener) throws JRException {
		ReportFiller filler = JRFiller.createReportFiller(jasperReportsContext, jasperReport);
		filler.addFillListener(fillListener);

		try {
			JasperPrint jasperPrint = filler.fill(parameters, connection);

			return jasperPrint;
		} catch (JRFillInterruptedException e) {
			throw new JRException(JRFiller.EXCEPTION_MESSAGE_KEY_THREAD_INTERRUPTED, null, e);
		}
	}

https://github.com/Jaspersoft/jasperreports/blob/895d17ad3fb3bc8cdbb961edaa9a073e110a05d0/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptEvaluatorScope.java#L164

using initStandardObjects allow user to inject code in the report designs in order to load/import undesired Java class into JavaScript execution environment. Please consider fix it.

If initStandardObjects must be used, consider creating a JS Context object that uses ClassShutter to whitelist the safe Java classes.

Hi,
at least in version 4.5.1 rendering a bar-code with a null message would yield no error (no bar-code would rendered). With 6.6.0 I am getting a NPE avoiding which means updating all report templates.

Would it be possible to make the code in the BarcodeImageProducer implementations more lenient? My current approach is to use a patched BarcodeRasterizedImageProducer where the createImage method does a null pointer check before doing the actual rendering.

regards,
juraj

CVE-2019-12384 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

Hi,

Are there any plans to implement cache mentioned in this line:

I actually hit the wall here and cache here would improve performance a lot for large size reports.

ADD JAVADOC!!!!!!!!!!!!!!!!!!!!!!!!!!!!

It would be nice to be able to control how long a query in a Jasper report can run when running a Jasper report synchronously. We have an application where users can write their own Jasper reports, upload them, and run them. If a report has a query that takes a long time to run it can take up database resources and there's no way to stop it. Add a property to set the java.sql.Statement#setQueryTimeout(int) value in JRJdbcQueryExecuter. (Once the timeout is reached, the JDBC driver tells the database to cancel the query)

This would allow applications using JasperReports to have fine-grain control over how long Jasper report SQL queries should be able to run to prevent reports from exhausting database resources.

Hi guys, if i open the pdf generated by jasper with an editor like ilustrator i see a red layer above the QR and barcode. Not happening within adobe reader niether browser preview viewer.
If you print the document from this editor you will print the layer, since the QR or barcode is behind is not printed so they are impossible to read.

do you have any idea how to solve it?

Thanks in advance

The Implementation-Version manifest entry defined here was not updated for the 6.7.0 release.

This results in calls to Package.getPackage("net.sf.jasperreports.engine").getImplementationVersion(); at runtime report that it's JasperReports version 6.6.0, not 6.7.0. This is done in a few spots in the JasperReports source code such as in the PDF exporter.

I'm unsure if the final JAR for this project is built with Maven or Ivy, but if it's built with Maven it might be worth applying filtering to the MANIFEST.MF file and use ${pom.version} as the value of the Implementation-Version manifest entry so that it doesn't have to be manually changed each time there's a new JasperReports version.

Hi all,
I've created very simple Jasper report in studio, version 6.8.0. My template contains only detail band, all another arreas are removed. I also set Ingore pagination to true to gen fluent file without some break. My problem is that I got extra two end lines in the end of exported file. I summary, file finished with 3 end lines as describen in following threads:
https://stackoverflow.com/questions/43282485/jasperreports-text-file-contains-2-newline-characters-at-the-end-of-every-page
https://community.jaspersoft.com/jasperreports-server/issues/6446

What I found out in second link, only added to jrxml works, studio have problem to define empty value

Can somebody help me where is problem? When exporting to csv, file normally is ended with one end line.
thanks
brpalo

I am using this library to create a Jasper object but the object which gets created has some private members in it like Static text element has “TEXT” field protected.
However, I need to access the private or protected properties of these elements in some cases.
Could you please guide me with this.

jasperreports is currently depending on itext 2.1.7.js5, which is pretty old and is depending on other old things such as bctsp-jdk14, among others, which have security vulnerabilities.

Would it be possible to upgrade jasperreports to use a more recent version of itext, lets say 5.5.11?

I am using v6.5.1 and have a report with a band that contains a single chart and and a static text like this:
<staticText> <reportElement style="section title" x="11" y="30" width="520" height="20" uuid="5aec9479-4c72-487d-a216-6e19336ab97b"/> <text><![CDATA[Performance]]></text> </staticText>

Whenever that band does not fit on the current page and is moved to the next page, the refill of the static text runs into a NPE (see below). The problem seems to be caused by JRFillTextElement#rewind, in which rawText is set to the value of oldRawText, which is null. Judging from the constructors of JRFillStaticText, rawText is never supposed to be null.

The report renders just fine with net.sf.jasperreports.legacy.band.evaluation.enabled=true

java.lang.NullPointerException: null at net.sf.jasperreports.engine.fill.JRFillTextElement.setPrintText(JRFillTextElement.java:1057) at net.sf.jasperreports.engine.fill.JRFillStaticText.fill(JRFillStaticText.java:215) at net.sf.jasperreports.engine.fill.JRFillElementContainer.fillElements(JRFillElementContainer.java:1039) at net.sf.jasperreports.engine.fill.JRFillBand.fill(JRFillBand.java:454) at net.sf.jasperreports.engine.fill.JRFillBand.fill(JRFillBand.java:413) at net.sf.jasperreports.engine.fill.JRFillBand.refill(JRFillBand.java:385) at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillColumnBand(JRVerticalFiller.java:2608) at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillDetail(JRVerticalFiller.java:791) at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillReportStart(JRVerticalFiller.java:252) at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillReport(JRVerticalFiller.java:99) at net.sf.jasperreports.engine.fill.JRBaseFiller.fill(JRBaseFiller.java:609) at net.sf.jasperreports.engine.fill.BaseReportFiller.fill(BaseReportFiller.java:405) at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:140) at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:667) at net.sf.jasperreports.engine.JasperRunManager.runToPdf(JasperRunManager.java:493) at net.sf.jasperreports.engine.JasperRunManager.runReportToPdf(JasperRunManager.java:896)

CVE-2016-1000340 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.52.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar

Dependency Hierarchy:

• itext-2.1.7.js6.jar (Root Library)
  • ❌ bcprov-jdk15on-1.52.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Publish Date: 2018-06-04

URL: CVE-2016-1000340

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31

Release Date: 2016-11-29

Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000341 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.52.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar

Dependency Hierarchy:

• itext-2.1.7.js6.jar (Root Library)
  • ❌ bcprov-jdk15on-1.52.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Publish Date: 2018-06-04

URL: CVE-2016-1000341

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

The page footer section to use on the first page instead of the normal page footer. This might not be the very next page of the document in case the summary section is also present. This section is sometimes useful when summary information has to be displayed at the bottom of the first page.

It's like lastPageFooter but only in first page

When looking at the JasperReports documentation pages such as http://jasperreports.sourceforge.net/sample.reference/hyperlink/index.html I noticed that the "Browse Sample Source Files on Git" links point to a broken SourceForge link and not GitHub.

As I've seen in QRCodeSVGImageProducer and QRCodeRasterizedImageProducer

The charset is being hardcoded

hints.put(EncodeHintType.CHARACTER_SET, QRCodeComponent.PROPERTY_DEFAULT_ENCODING);

QRCodeComponent.PROPERTY_DEFAULT_ENCODING is "UTF-8"
QRCodes are always in UTF-8, that gives us problems with DATALOGIC scan readers which can't support UTF-8.

a parameter config like

net.sf.jasperreports.components.barcode4j.qrcode.encoding=UTF-8
net.sf.jasperreports.components.barcode4j.qrcode.encoding=ISO-8859-1

would be perfect

I am using jasper report 6.8.0 in my project and i get this warning when i upgrade to java 11

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.jasperreports.engine.util.ClassUtils (jar:file:/home/ahmed/Public/Projects/ERPSystem-Java11/oras/oras.jar!/BOOT-INF/lib/jasperreports-6.8.0.jar!/) to constructor com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl()
WARNING: Please consider reporting this to the maintainers of net.sf.jasperreports.engine.util.ClassUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

i get it when i invoke this line
JasperCompileManager.compileReportToStream(getClass().getResourceAsStream(jasper), fileOutputStream);

Spring support is broken. <ref local is no longer supported by spring schema - you must use <ref bean instead.
Since I cannot create a pull request, I have attached the fixes to this issue.

Cheers,
/.Springzen

SpringFix.zip

We embed jasperreports as component. Can we use this with java 11 in runtime?

This library has only an old version (5.1.0) published.

CVE-2019-12086 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Step up your Open Source Security Game with WhiteSource here

I have an application upgrade jasperreports from 6.0.3 to 6.5.0, It throws NullPointerException

java.lang.NullPointerException: null
	at net.sf.jasperreports.engine.fonts.FontUtil.getFontInfo(FontUtil.java:210) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.util.JRStyledTextUtil.loadFamilyFonts(JRStyledTextUtil.java:454) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.util.JRStyledTextUtil.getFamilyFonts(JRStyledTextUtil.java:441) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.util.JRStyledTextUtil.getFamilyFonts(JRStyledTextUtil.java:432) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.util.JRStyledTextUtil.resolveFonts(JRStyledTextUtil.java:190) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.util.JRStyledTextUtil.resolveFonts(JRStyledTextUtil.java:170) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillTextElement.getProcessedStyledText(JRFillTextElement.java:612) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillTextElement.chopTextElement(JRFillTextElement.java:656) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillTextField.prepare(JRFillTextField.java:777) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillElementContainer.prepareElements(JRFillElementContainer.java:542) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillBand.fill(JRFillBand.java:438) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFillBand.fill(JRFillBand.java:413) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillTitle(JRVerticalFiller.java:310) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillReportStart(JRVerticalFiller.java:244) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRVerticalFiller.fillReport(JRVerticalFiller.java:99) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRBaseFiller.fill(JRBaseFiller.java:609) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.BaseReportFiller.fill(BaseReportFiller.java:405) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:140) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:667) ~[jasperreports-6.5.0.jar:6.5.0]
	at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:983) ~[jasperreports-6.5.0.jar:6.5.0]

name.equals(face.getFont().getFamily()) face.getFont() could be null

After studying the QR engine at zxing we've found a bug with some readers when the ISO-8859-1 character set is being passed to the zxing library as hint.

The bug raised when some datalogic old readers can't detect the ECI (character encoding) coded in the QR, because (it's a guess) they only support ISO-8859-1 as you can see at #11.

Zxing only add the ECI header when the hint is passed, so the solution would be to only send the character encoding hint when it's different than the default (ISO-8859-1). That means adding to QRCodeSVGImageProducer something like that:

# Preventing add the ECI header when not necessary
if(!encoding.equals("ISO-8859-1"))
  hints.put(EncodeHintType.CHARACTER_SET, encoding);

CVE-2016-1000342 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.52.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar

Dependency Hierarchy:

• itext-2.1.7.js6.jar (Root Library)
  • ❌ bcprov-jdk15on-1.52.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-04

URL: CVE-2016-1000342

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

Not able to load correct hindi font on pdf when sending from java, it is working in preview section of jasper soft studio & i am using font extension for custom font
Example :
sending parameter दिनेश
in preview it shows correct but when loading from java it shows
like this

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to vulnerable library: /jasperreports/jasperreports/demo/samples/webapp-repo/web/scripts/jquery/core/jquery-3.3.1.min.js

Dependency Hierarchy:

• ❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in HEAD commit: 0fb7e06582547fef75b3ae82430331a23e178e89

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

Currently, for row and column groups you can specify a total as start, end or none.

It would be great to be able to also specify not to use a total if there is only 1 row or column in the group.

I tried to reproduce this problem by minimum example, but can't.
So I attached original example in my repository.

https://github.com/sis-yoshiday/jasperreports-issue

Sometimes, i'm getting an exception on calling processImageRetainShape (class: JRPdfExporter.java):

java.lang.NullPointerException
 at java.awt.color.ICC_Profile.activateDeferredProfile(ICC_Profile.java:1086) ~[?:1.7.0_80]
 at java.awt.color.ICC_Profile$1.activate(ICC_Profile.java:742) ~[?:1.7.0_80]
 at sun.java2d.cmm.ProfileDeferralMgr.activateProfiles(ProfileDeferralMgr.java:95) ~[?:1.7.0_80]
 at java.awt.color.ICC_Profile.getInstance(ICC_Profile.java:775) ~[?:1.7.0_80]
 at com.lowagie.text.Jpeg.processParameters(Unknown Source) ~[redoute-vendororderlifecycle-batch-deliverynotecrt-96.0.jar:96.0.0]
 at com.lowagie.text.Jpeg.<init>(Unknown Source) ~[redoute-vendororderlifecycle-batch-deliverynotecrt-96.0.jar:96.0.0]
 at com.lowagie.text.Image.getInstance(Unknown Source) ~[redoute-vendororderlifecycle-batch-deliverynotecrt-96.0.jar:96.0.0]
 at net.sf.jasperreports.engine.export.JRPdfExporter$InternalImageProcessor.processImageRetainShape(JRPdfExporter.java:1742)

This is a known bug in Java since 1.6:
"Loading ICC color profiles from multiple threads sometimes triggers a null pointer exception inside the JRE's ICC_Profile class."

Source: https://bugs.openjdk.java.net/browse/JDK-8058973

Seems a great moment to try to upgrade the dependency since there's important security problems with old jacksons.
Is it possible?

FasterXML/jackson-databind#1723

Thanks in advance.

Details:

Variable has the following properties:

• Reset type = GROUP
• Increment Type = NONE
• Calculation = FIRST

Issue occurs when after printing the GroupHeader on the 10th page there is not enough space to print the Detail band so the variables are recalculated.

The flow is something like:
In the JRVerticalFiller.fillDetail() the condition detailBand.getBreakHeight() > columnFooterOffsetY - offsetY in the while loop is false leading to JRVerticalFiller.fillColumnBand() being invoked.
When the detail is being is filled the JRPrintBand would overflow because one of the fields stretches. As the JRPrintBand will overflow it causes JRVerticalFiller.fillColumnBreak() to be invoked and the JRPrintBand to be refilled. After JRVerticalFiller.fillColumnBreak()
JRCalculator.recalculateVariables() is called.
This method sets the variables incremented value to the previous incremented value but as the variable was reset when the group changed the previous incremented value is null.

Since Oracle is stopping public updates of jdk8 in January, I would like to know if there is a plan or timeline to support jdk9 (and successors) in JasperReports?

CVE-2016-1000339 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.52.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar

Dependency Hierarchy:

• itext-2.1.7.js6.jar (Root Library)
  • ❌ bcprov-jdk15on-1.52.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Publish Date: 2018-06-04

URL: CVE-2016-1000339

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

jasperreports depends on a patched version of iText:
https://github.com/TIBCOSoftware/jasperreports/blob/master/jasperreports/pom.xml#L240

The patched iText is used here:

Please submit the patch of iText upstream to OpenPDF here:
https://github.com/librepdf/openpdf

Then update the pom file of jasperreports to use OpenPDF 1.0.5 instead of the patched library.
Then jasperreports can depend on a maintained version of this library.

<dependency> <groupId>com.github.librepdf</groupId> <artifactId>openpdf</artifactId> <version>1.0.5</version> </dependency>

Hello everyone. I have a library that exports to different formats (the predefined ones) from JasperViewer, but does not export to simple xls, or to xls with multiple sheets. The fact is that it does not give any error. It can be a bug ?. If the file already exists and I want to replace it, it warns me, but nothing more.

Is there a reason why JasperReports depends on libraries which are not available on any repository? Because of the build errors that occur due to this dependencies I've to exclude these libraries and add their nearest relatives from the JasperReports-Repository (http://jasperreports.sourceforge.net/maven2). This problem exists for the iText and the olap4j library. iText depends on a 2.1.7.js6 where only a SNAPSHOT-version exists for. Olap4j depends on version 0.9.7.309-JS-3 where I only can find the version 0.9.7.145.
Maybe I'm just blind and can't find a repository which provides them. This problem exists since a few versions, so I'm not sure if it's my fault or just was overseen.
JasperReports works fine with the alternatives but it blows up gradle build files in our projects a bit.

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@5f7c69b

Release Date: 2019-06-14

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000338 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.52.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /jasperreports/jasperreports/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.52/bcprov-jdk15on-1.52.jar

Dependency Hierarchy:

• itext-2.1.7.js6.jar (Root Library)
  • ❌ bcprov-jdk15on-1.52.jar (Vulnerable Library)

Found in HEAD commit: cb8f9004be492ccc537180b49c026951f4220bf3

Vulnerability Details

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-01

URL: CVE-2016-1000338

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0

Release Date: 2016-10-14

Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java

Step up your Open Source Security Game with WhiteSource here

We are trying to create reports (with output as PDFs and images) with Myanmar fonts ('Myanmar Text' and 'Padauk'). We have created font extensions with these fonts, and those extensions are on our application's class path. Unfortunately, we are running into an issue with JasperReports not applying ligatures properly.

The problem can be reproduced with a simple Report consisting of nothing but a single Text Field or Static Text with, for example, the following content:
လက်ကားဖြန့်ချီရေး

This is what the output should look like (generated by JasperReports exporting to html):

This is what it looks like instead (generated by JasperReports exporting to pdf):

The above examples were created with the 'Myanmar Text' font; using other fonts yields results that are different but just as wrong - for example, ignoring ligatures entirely, rather than applying them incorrectly.

In this Community discussion, a potentially related problem with Thai fonts was discussed; there, adding the following property to the report fixed the issue:
<property name="net.sf.jasperreports.export.pdf.glyph.renderer.blocks.x" value="thai"/>
We tried adding that property to the report (replacing "thai" with "myanmar", which is the name of the appropriate Unicode block), and the subsequent output of the JasperReports Library indicates that it can resolve the AWT and PDF fonts and use the glyph rendering then; however, unfortunately this did not affect the actual output whatsoever.